Configuring VPN remote access connections to use NAP based quarantine
This topic describes how to configure Microsoft Forefront Threat Management Gateway to work with Network Access Protection (NAP) enforcement. It assumes that you have configured your virtual private network (VPN) and verified that is working properly. Configuring Forefront TMG to work with NAP includes the following tasks:
- Setting EAP as the authentication method for VPN clients
- Configuring RADIUS settings, which includes setting RADIUS as the network access protocol and setting the NPS server as the primary RADIUS server
- Enabling NAP-based quarantine control
- Enabling quarantine for clients that are not NAP-capable (optional), which includes configuring Forefront TMG as a Remote Access Quarantine Agent (RQS) listener in order to support legacy clients.
Where to start: To configure Forefront TMG to use NAP, in the Forefront TMG Management console tree, click Virtual Private Networks (VPN), and then in the details pane, click the VPN Clients tab.
To set Extensible Authentication Protocol (EAP) as the authentication method for VPN clients
In the tasks pane, click Select Authentication Methods.
On the Authentication tab, click Extensible authentication protocol (EAP) with smart card or other certificate.
Keep this window open for the following tasks.
To configure RADIUS settings
On the RADIUS tab, click Use RADIUS for authentication, and then click RADIUS Servers.
If a RADIUS server representing the Network Policy Server (NPS) is not configured, click Add to do so. If one has been configured, verify that the configuration matches the one detailed in the following steps.
For Server name, enter the name or IP address of the NPS server.
Click Change to create a new shared secret. Record the shared secret for use when configuring the NPS server.
If you find that you are experiencing communication problems between Forefront TMG and the NPS, consider increasing the time-out value, which is configurable on the RADIUS server.
Click OK to close the Add RADIUS Server dialog box.
In the RADIUS Servers dialog box, if multiple RADIUS servers are listed, use the up arrow to promote the NPS RADIUS server to the top of the queue, and then click OK.Step 2
To enable NAP-based quarantine control
In the tasks pane, select Configure Quarantine Control.
On the Quarantine tab, select the Enable Quarantine Control and Quarantine according to RADIUS server policies check boxes, and then click OK.
Enabling quarantine for clients that are not NAP-capable (optional)
If your deployment includes clients that are not NAP-capable, it is recommended that you enable support for these clients via Forefront TMG-based quarantine.
To do so, you need to prepare Forefront TMG as an RQS listener. For instructions, see Installing the remote access quarantine tool.
For an up-to-date list of client operating systems that support NAP, see "Which versions of Windows support Network Access Protection as a client?" at http://www.microsoft.com/technet/network/nap/napfaq.mspx.